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1 Preface 

This is a preliminary note of some numerical experiments; the results may 
be rather wrong. 


2 Introduction 

This paper presents the results of numerical experiments to determine the 
probability, over concrete fixed hnite fields, of prime-order elliptic curves having 
a prime-order twist. 

These curves are called “elliptic twins” by [7], and are useful for a variety of 
cryptographic applications.^ 

Most notable is that such curves are secure against an “insecure twist” at¬ 
tack. This attack was introduced in 2001 by Daniel Bernstein, see [2], who has 
proposed “twist-security” (a slightly weaker condition) as an essential safety 
criterion for elliptic curves. [1]^ 

The most interesting result of this paper is that, for the finite fields the 
NSA-generated curves are defined over, there is only an approximately 1/100 
probability of a random prime-order curve having a prime-order twist. 

P-384 was standardized by NIST in 1999, and generated by the NSA at some 
previous time. [9] It has a prime-order twist. [2] 

P-224 was standardized by NIST at the same time. It does not have a 
prime-order twist. In fact, its twist has only 58-bit security. ^ 

^ [V] only consider the asymptotic density of “elliptic twins” as a fraction of all elliptic curves, 
so their results only partially address the question of this paper. One analytic approach might 
be to combine their results with the results of [GalbraithMcKee]. 

^[1] autocites Burton Kaliski ([.5]) as introducing the so-called “unsafe-twist” attack, but 
I have been unable to find any evidence either in that paper or Kaliski’s thesis, [4], that he 
was aware of the attack. Kaliski’s construction of an elliptic-curve-and-twist-based random 
number generator does, however, require that discrete log be hard on both the curve and its 
twist, as he explicitly notes. 

^The twist of P-224 has a cofactor of 3^ ■ 11 ■ 47 ■ 3015283 ■ 40375823 ■ 267983539294927. [2] 
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3 Elliptic twin curves 

We follow the definitions of [7], with some minor modifications. 

Let Ej be the elliptic curve of invariant j, and Ej(Fq) be its reduction over 
a finite field of characteristic p > 5,n > 1 with p prime. Let and t(Ej(Fg)) be 
the trace of Frobenius of that elliptic curve. 

Let Ej(Fq) be the non-trivial quadratic twist of Ej(Fg) over the same field. 

An elliptic twin is a pair consisting of a prime p, and a set of two primes not 
equal to p or 0 , {^,7’}, such that 


^Ej (Fp) + ^Ej (Fp) — I -\- r — 2p + 2 — / + r 


( 1 ) 


[7] provide evidence that elliptic twins exist over arbitrary prime fields, but 
the formulae of [7] do not appear to provide precise estimates for fixed finite 
fields. 

4 Primes 

We consider the non-Mersenne SECP primes, standardized for the use of the 
federal government in [9], which are, where N := 2^^: 


P224 = N^ -N^+N° 

P 256 = - N'^ + N^ + - N° 

P384 = - N° 


( 2 ) 


They are subset of the class of Generalized Mersennes defined by [ 8 ] . 

5 Numerical methods 

5.1 Finding prime-order curves 

Method 1. A slightly modified version of PARI/GP was used to calculate 
the traces of prime-order curves, based on code of [HamburgPARI] . (The 
particular code used for this version of this paper may be found at [ 6 ].) Point¬ 
counting was aborted early if was found to have a small prime factor. This 
computation produced estimates for the density both of prime-order curves and 
elliptic twin curves over each field. 

Method 2. For P-384, a slightly larger computation was carried out using 
the same code, but set up to abort point-counting if either ^EjOr#E* (Z^)) had 
a small prime factor. The experiment 
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5.2 Results 


Experiment 1. We calculate Tf{j) for each Ej for 0 < j < 2^°,j ^ 1728, 
then test #Ej and #E*(Zq)) for primality. 

For this to be a reasonable procedure, it requires the assumption that j- 
invariant is not correlated with the probability of the curve being an elliptic 
twin, even on a local scale of 2 ^°. 

Let Wr be the number of prime-order curves found, and 7V^/ be the number 
of elliptic twins found. Then, in this range, we have: 



N^' 

N^,/N^ 

2790 

31 

l.le -2 

1956 

15 

0 . 8 e -2 

1131 

20 

1 . 8 e -2 


P 224 
P256 
P384 

Experiment 2. Because of the small number of elliptic twin curves found 
in expriment 1, we planned to conduct the following experiment: For 1000 
pseudorandomly-generated j-invariants, set ji^ to a j-invariant, and increment 
until ji^n is an elliptic twin. The average of ji^n is then an estimator for 1 lp{pi') ■ 

Due to resource constraints this experiment was aborted after finding only 
441 elliptic twins. 

Combining these results with those of experiment 1, after bootstrapping, 
give a 99% confidence interval for p{pi'\pi) = [0.005, 0.01]. 


6 Future work 

In future work, we plan to extend the study to consider the more general 
question of the distribution of group structure and curve exponent for reductions 
of curves over fields for which their number of integral points is non-prime, and 
apply similar techniques with respect to the two curves proposed for IETF 
use, the nearly-Mersenne M 255 = 2^^® — 19 and the Hamburg-Solinas trinomial 
H448 = 2^4® - 2^24 -1.4 

(We probably won’t extend this work to the Mersenne M521, as that partic¬ 
ular calculation is pestiferously large.) 


7 Conclusion 

The quantity l/p(p) = iV.n.(p)/Wr'(p) is an estimator for the number of trials 
required, when choosing a prime curve uniformly at random in for that curve 
to be an elliptic twin. 

The probability, however, that no elliptic curves in a set of N curves are 
elliptic twins is, of course, 

0<2<n 

^The Hamburg primes are “Karatsuba-friendly” and [3] was the first to publish an algo¬ 
rithm that fully takes advantage of their special form. 
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With respect to the curves generated by the NSA for [SECPl], and subse¬ 
quently standardized by [9] , this calculation gives a probability of very approx¬ 
imately > 95% that none of the curves over P 224 ,P 256 : and P 384 would be an 
elliptic twin. 

But the curve over P-384 is an elliptic twin. 

One might thus conclude that it is more likely than not that the NSA’s curves 
were not generated by a process that samples from a uniform distribution on 
prime-order curves over the chosen prime fields.^ 

In particular, this suggests that the NSA’s choice of seeds for the “random” 
prime curves were subject to additional safety criteria not yet publicly disclosed. 
(Or, of course, that things with 5% probability aren’t terribly rare events...®) 
In addition, it suggests that the fever for “twist-security” which has taken 
grip of the cryptographic community is potentially dangerous: These are a 
smallish class of elliptic curves, and there is no evidence that - provided an 
implementation is not vulnerable to a small-twist attack - they possess either 
more or less structure than a non-twist-secure curve. 
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Appendix. Cofactors for SafeCurves 


This table is adapted (read stolen directly) from [2]. The rows have been 
sorted by the cofactor of the twist of the curve. The curves for which twist- 
security was a stated security criterion during the selection process have been 
omitted. 

Curve_ h{Ej) h{E*^{Zg))) 


secp384rl 1 
secp256rl 1 
secp256kl 1 
FRP256vl 1 
secp224rl 1 
brainpoolP256 1 
brainpoolP384 1 


1 

3-5-13-179 

3^-13^-3319-22639 

7-439-11760675247-3617872258517821 

3^-11-47-3015283-40375823-267983539294927 

5^-175939-492167257-8062915307-2590895598527-4233394996199 

7-11^-241-5557-125972502705620325124785968921221517 


^ Why, then, don’t all of P224 , P256 ? and P384 have safe twists? Note that the probability 
of that would be no<i<n(^ ~ Pi)’ than 1.5e — 6, or a roughly 1 in 630,000 chance. 

®In partial defense of the NSA: Suppose that it did, in fact, draw the seeds for the SECP 
prime curves uniformly at random until it found prime order curves. There is no good way of 
the NSA “proving” that it followed this procedure honestly, even if it did. This reinforces the 
importance of some “rigidity” criterion, as per [NUMS]. 
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